Recently Mercurial has added certificate validation when connecting to HTTPS servers. I'm trying to clone the wiki repository for a Google Code project at https://wiki.droidweight.googlecode.com/hg/, but the certificate is for *.googlecode.com.
Google Code's certificate does not cover multiple subdomains like *.*.googlecode.com.
I'm getting the error:
% hg clone --verbose https://wiki.droidweight.googlecode.com/hg/ -- C:\workspace\wiki
abort: wiki.droidweight.googlecode.com certificate error: certificate is for *.googlecode.com, googlecode.com, *.codespot.com, *.googlesource.com, googlesource.com (use --insecure to connect insecurely)
I need to get the certificate fingerprint. This SO answer says how to do it on *nix.
How would one get the fingerprint on Windows 7 (Home Premium)?
References:
Open issue on Google Code's support site.
Mercurial CA Certificates FAQ.
Which version of Mercurial are you using? 1.8.2 prints the fingerprint when you clone, as per the documentation.
EDIT: After some testing, I realised that Mercurial prints the certificate when you connect insecurely (I don't have web.cacerts configured, so cloning always succeeded, though with a warning). So if you pass --insecure to your hg clone, you'll get a clone and a fingerprint.
Alternatively, install GnuWin32! It makes the Windows command line a fun place to be :) (I have no affiliation with GnuWin32; just hugely appreciative.)
Related
I have already tried a lots of options available for this problem on stackoverflow, unfortunately nothing is working for me so far.
It started with composer installation. My env details are listed below:
OS: Windows 7
PHP V 7.1.10, XAMPP version
I am running MINGW64, (which was installed with git v2.1.5)
curl --version
curl 7.56.1 (x86_64-w64-mingw32) libcurl/7.56.1 OpenSSL/1.0.2l (WinSSL) zlib/1.2.11 libidn2/2.0.4 libssh2/1.8.0 nghttp2/1.26.0
Release-Date: 2017-10-23
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy MultiSSL Metalink
Now here it seems CURL with OpenSSL is installed correctly.
When I was doing composer require or install it was reported me an error as follows:
I searched and figured out that its the local certificate problem so I downloaded the certificate/bundle from https://curl.haxx.se/docs/caextract.html, placed the certificate under C:\xampp\php\extras\ssl\ and changed the PHP.ini
curl.cainfo="C:\xampp\apache\bin\curl-ca-bundle.crt"
openssl.cafile="C:\xampp\php\extras\ssl\curl-ca-bundle.crt"
this never worked. Then I placed my certificates under C:\Windows\System32\curl-ca-bundle.crt, changed the ini still it didn't work.
Then I downloaded cacert.pem from
https://gist.github.com/VersatilityWerks/5719158/download
and repeated steps to make it work with pem file.
However I am afraid still no success here.
Can anyone help me whats wrong going on here? Any help in this direction is much
appreciated.
This is for Windows users, using curl-7.57.0-win64-mingw or similar version.
I have already shared this on another thread, but I think Windows users might stumble upon this question and my answer might help. So, sharing the step-by-step process.
This error basically means, curl is failing to verify the certificate of the target URI. If you trust the issuer of the certificate (CA), you can add that to the list of trusted certificates (e.g. It's a local IIS certificate, and you trust it for your development purposes).
For that, browse the URI (e.g. on Chrome) and follow the steps
Right click on the HTTPS secure padlock đź”’ icon on address bar
Click on certificate, it'll open a window with the certificate details
Go to 'Certification Path' tab
Click the ROOT certificate
Click View Certificate, it'll open another certificate window
Go to Details tab
Click Copy to File... button, it'll open the export wizard
Click Next
Select 'Base-64 encoded X.509 (.CER)'
Click Next
Give a friendly name that you can remember e.g. 'MyDomainX.cer' (browse to desired directory) and save
Click Next
Click Finish, it'll save the certificate file
So what did we do?
We basically saved the root certificate for the desired site (that we actually trust) as a local file. What do we do next?
Add that certificate to the list of trusted certificates
Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin
Open the curl-ca-bundle.crt file with a text editor (right click and open with...)
Append the copied certificate text to the end of the file. Save
What did we do now?
We added the certificate (content) to curl's main certificate bundle. So now curl will recognize this certificate and allow the domain.
Now your command should execute fine on curl.
Just posting this here for posterity as I spent the last 2 hours on this.
NOTE: only tested on windows.
Make sure you have the curl version with ssl included ( the latest exe installer has it)
Download the cacert.pem from http://curl.haxx.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Move the cacert.pem file to the curl.exe directory.
Fixed.
I use sourcerepo.com as SVN server. My XCode5 bot complains : error validating server certificate for "https://myproject.sourcerepo.com:443"
- the certificate is not issued by a trusted authority. Use the fingerprint etc....
How can I make my XCode Server accept this svn server and retrieve sources ?
thanks for your advice
Frank
Verify why the certificate is untrusted. (E.g., is it a self-signed certificate?)
Start Terminal and run svn info https://myproject.sourcerepo.com:443/<path-to-repository>. Accept the certificate permanently when prompted.
I found a way to make it work from the Xcode 5 release notes:
https://developer.apple.com/library/ios/releasenotes/developertools/rn-xcode/xc5_release_notes/xc5_release_notes.html
Communicating with a remote SVN repository over HTTPS can fail with an
error similar to “Error validating server certificate for server
name.” Edit the file
/Library/Server/Xcode/Config/xcsbuildd.plist
and change the TrustSelfSignedSSLCertificates key from false to true.
Then, from a Terminal window, run:
sudo killall xcsbuildd
I did exactly the above. To edit the file you actually need to
sudo vi /Library/Server/Xcode/Config/xcsbuildd.plist
After restarting the build daemon I was able to get my Xcode bot to checkout the sources from the remote repository and perform the integration. Hope this helps!
I have downloaded cURL for Windows from here. I selected the Win64 - Generic version without SSL. I try to run curl https://www.google.com from the command line and I get the following error: curl: (1) Protocol https not supported or disabled in libcurl.
Okay! Next, I decide to download the version with SSL and install that. I try to run the same command as above and I get following error:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate
Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you
can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
What should I do next?
Here's what I did to solve the problem.
I got the Bundle of CA root certificates that Mozilla uses from here. I copied the data from the page and saved it in a new file called curl-ca-bundle.crt in the folder where the curl.exe file was. That solved the problem.
Of course, these instructions are also found on the cURL documentation page for SSL certificates, precisely instructions 4 and 5.
Hope that helps.
Until now I'm using SmartSVN to access our https-protected repository smoothly. SmartSVN simply asked for my certificate and the passphrase and was happy.
Now I want automatic update and commit and hence try EasySVN which is a TortoiseSVN-derivate. Unfortunately, it does not ask me for my credentials and just fails with "No certificates available".
When I try to perform an update on command line SVN, it asks me for the certificate and passphrase (why TortoiseSVN can't do that?), but fails:
E:\test>svn update
Updating '.':
Authentication realm: https://ourserver:8888
Client certificate filename: e:\path\to\my\certificate.p12
svn: E175002: Unable to connect to a repository at URL 'https://ourserver:8888/svn/my/checked/out/path'
svn: E175002: OPTIONS of 'https://ourserver:8888/svn/my/checked/out/path': SSL handshake failed: Secure connection truncated (https://ourserver:8888)
This page tells you where to store a cert for TortoiseSVN, but it seems there's an issue with this in EasySVN, there's a ticket here (hasn't been updated in a while though)
I'm facing some problems while git clone a repo from my ubuntu server running gitolite.
First, I got a public key from the developer who wants to clone the repository from the server. It was a rsa key created with putty. So I did the following to parse it from the putty-style to openssh format with:
ssh-keygen -i -f /tmp/ssh2/YourName.pub > /tmp/openssh/YourName.pub (taken from http://gitolite.googlecode.com/git/doc/ssh-troubleshooting.mkd?r=d3a663d03f1027f909732d55d0519bdd84edb62c)
and uploaded the public key along with a new entry for the repo and the new user in the config file to gitolite-admin repo.
So far, so good.
The developer is using **** along with putty to connect to the server, which is running git on a non-standard port and he keeps on getting the same error over and over again:
Cloning into 'D:\path\to\dirctory'...
error: Recv failure: Connection was reset while accessing http://sub.domain.com/info/refs
fatal: HTTP request failed
git did not exit cleanly (exit code 128)
Could anyone give me some advice about this issue?
EDIT:
In the meantime, we managed to git clone the repository by addressing it with the ssh:// protocol instead of git://, so it doesn't seem like it is a problem of the rsa_public.key or something like that.
The iptables on the server are accepting connections through the port for git, but it keeps on giving the above mentioned error.
The OP herom initially commented that the developer used git://git#remote.server.com:port/repo.git as an address.
I asked if there was any firewall issue, preventing the use of the git port (9418), but the OP mentioned:
no, there shouldn't be a firewall issue as iptables is accepting traffic for the git port - the port is forwarded and appears to be another port when connecting from outside...
Now, the developer cloned the repo through ssh:// (and even connecting to the ssh-port!)
I note that the git port can sometime be blocked, as illustrated in this thread.
If not on the client side, maybe on the server side.